Leading in a Crisis Part 1: Preparation – David Falzani, SMF President

Tuesday, 3 November 2015

When crisis strikes your organisation, who are you going to call? A consultant? The bank? Your legal team?

Unfortunately, there are few easy fixes to a business crisis. Crisis can strike at any time and in any form, and some can end up being so severe that your company may have to cease operations entirely. There is no magic wand to wave, and while crack teams of experts who will solve all of your problems are the stuff of dreams, it is ultimately you who must lead the company’s ship through the storm. So what is a crisis? And how do we best prepare an organisation for such an emergency?

The problem of risk
Risk management seems to dominate the day-to-day operations of our institutions and workplaces more than ever before. The very phrase can send even the most hardened manager into cold sweats, conjuring up memories of hours of paperwork to protect the company or premises against anything from fire to burglary.

However, this simplistic understanding of risk can obscure some of the most important lessons of security culture and the problem of risk. Successfully preparing for a crisis and managing its subsequent fallout ultimately requires a shift in organisational culture – one which seeks to manage and limit insecurity. This further requires a parallel shift in how we conceptualise risk.

Risk does not just refer to specific areas of potential crisis, such as property damage. It refers to a whole range of potentialities that could negatively – and significantly – impact your operations. Cisco offer a useful definition of risk as “Risk = Value x Threat x Vulnerability”.

Preparing for disaster
Of course, we can never be fully prepared for risk – its very nature implies it is always a possibility. Whether a crisis is caused by external factors, such as a major environmental disaster, arson or an information breach, or something internal, such as rogue bookkeeping or sabotage, it can be so unpredictable that preparation and security thinking should be of the utmost priority. While risk or insecurity can never be eradicated, they can certainly be managed.

Start by developing a clear process and strategy for gathering information about every one of the business’ operations. There are innumerable sources of risk within any company, and unfortunately, board members are often blind to these until it is too late. Line managers will be aware of many of the potential risks associated with their department, but they might also not have the same perspective as the employees they’re managing. The same goes for external experts who are able to assess your risk planning objectively and bring a fresh perspective to your situation.

It’s therefore worth entering into a dialogue with all stakeholders and at every level of the organisation. This can be achieved through stakeholder mapping, which involves:

Identifying and categorising your different stakeholder groups, from your employees to your customers

Research, identifying and defining the specific issues each group may face, and how much influence your company has over them

Defining an ideal outcome of a crisis, how to manage its fallout, and how to mobilise each stakeholder toward solving the problem

This will not only give you diverse information about potential areas of insecurity (allowing you to plan for crisis scenarios), but it is also the first step in establishing a permanent culture of security throughout the company hierarchy. Any so-called ‘security team’ should ideally be drawn from this diverse knowledge base.

Keeping this flow of information regular and comprehensive is vital in keeping your executives and managers informed and involved. In other words, every member of your company should be constantly aware of the risks around them. With the right protocol and procedure in place, developed according to rigorous risk assessments, you are already well on your way to being prepared for a crisis.

Simply put, open and transparent communication with stakeholders is a must. It is vital to remember that any crisis you have is going to affect not just your internal operations, but everyone around you as well. Therefore any considerations of risk should not just extend to your internal organisational culture – how it will impact you – but also the impact it is going to have on your company’s image and, most importantly, your consumer base.